From owner-freebsd-doc@FreeBSD.ORG Thu Oct 14 09:59:30 2004 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 711CC16A4CE; Thu, 14 Oct 2004 09:59:30 +0000 (GMT) Received: from volginfo.ru (ns.volginfo.ru [217.23.84.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 051A743D4C; Thu, 14 Oct 2004 09:59:29 +0000 (GMT) (envelope-from den@FreeBSD.org) Received: from FreeBSD.org (llp-13.vistcom.ru [217.23.84.68]) by volginfo.ru (Postfix) with ESMTP id 13E142010; Thu, 14 Oct 2004 13:59:30 +0400 (MSD) Message-ID: <416E4DFD.3040203@FreeBSD.org> Date: Thu, 14 Oct 2004 13:59:25 +0400 From: Denis Peplin User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040205 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: freebsd-doc@FreeBSD.org, Tom Rhodes Content-Type: multipart/mixed; boundary="------------000609030204040806050200" Subject: TCP Wrappers section (handbook/security): services is not daemons X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Oct 2004 09:59:30 -0000 This is a multi-part message in MIME format. --------------000609030204040806050200 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hello! Please, look at patch attached. I will commit it if no objections. --------------000609030204040806050200 Content-Type: text/plain; name="srv_d.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="srv_d.diff" Index: security/chapter.sgml =================================================================== RCS file: /home/dcvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v retrieving revision 1.228 diff -u -r1.228 chapter.sgml --- security/chapter.sgml 3 Oct 2004 23:35:59 -0000 1.228 +++ security/chapter.sgml 14 Oct 2004 09:53:40 -0000 @@ -1482,9 +1482,9 @@ The TCP Wrappers software extends the abilities of inetd to provide support for - every server daemon under its control. Using this method it + every service under its control. Using this method it is possible to provide logging support, return messages to - connections, permit a daemon to only accept internal connections, + connections, permit a service to only accept internal connections, etc. While some of these features can be provided by implementing a firewall, this will add not only an extra layer of protection but go beyond the amount of control a firewall can @@ -1520,16 +1520,16 @@ in /etc/hosts.allow. - In the simplest configuration, daemon connection policies + In the simplest configuration, service connection policies are set to either be permitted or blocked depending on the options in /etc/hosts.allow. The default - configuration in &os; is to allow a connection to every daemon + configuration in &os; is to allow a connection to every service started with inetd. Changing this will be discussed only after the basic configuration is covered. Basic configuration usually takes the form of - daemon : address : action. Where - daemon is the daemon name which + service : address : action. Where + service is the service name which inetd started. The address can be a valid hostname, an IP address or an IPv6 address enclosed in @@ -1544,7 +1544,7 @@ in a later section. A simple configuration line may easily be constructed from that information alone. For example, to allow POP3 connections via the - mail/qpopper daemon, + mail/qpopper service, the following lines should be appended to hosts.allow: @@ -1564,7 +1564,7 @@ options too; they will allow for more control over the way connections are handled. In some cases it may be a good idea to return a comment to certain hosts or - daemon connections. In other cases, perhaps a log file + service connections. In other cases, perhaps a log file should be recorded or an email sent to the administrator. Other situations may require the use of a service for local connections only. This is all possible through the use of @@ -1584,15 +1584,15 @@ execute a shell command or script. An example already exists in the hosts.allow file: - # The rest of the daemons are protected. + # The rest of the services are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." This example shows that the message, - You are not allowed to use daemon + You are not allowed to use service from hostname. will be returned - for any daemon not previously configured in the access file. + for any service not previously configured in the access file. This is extremely useful for sending a reply back to the connection initiator right after the established connection is dropped. Note that any message returned @@ -1603,7 +1603,7 @@ It may be possible to launch a denial of service attack on the server if an attacker, or group of attackers could - flood these daemons with connection requests. + flood these services with connection requests. Another possibility is to use the @@ -1624,7 +1624,7 @@ This will deny all connection attempts from the *.example.com domain; simultaneously logging the hostname, IP - address and the daemon which they attempted to access in the + address and the service which they attempted to access in the /var/log/connections.log file. Aside from the already explained substitution characters @@ -1639,7 +1639,7 @@ continuously throughout the examples. Other options exist which could extend the functionality a bit further. For instance, ALL may be used to match every - instance of either a daemon, domain or an + instance of either a service, domain or an IP address. Another wildcard available is PARANOID which may be used to match any host which provides an IP address that may --------------000609030204040806050200--